6b2ea054c7f6e247167c0780c48ae52f8c95eb9c82f52f929bb31582e9b5a32c

General

Target

004749773756ce13d85d9598d4a73f0b.exe
Size

162KB
MD5

004749773756ce13d85d9598d4a73f0b
SHA1

afaa638180888267c366a50c3d8ac25a4e9cc18b
SHA256

6b2ea054c7f6e247167c0780c48ae52f8c95eb9c82f52f929bb31582e9b5a32c
SHA512

4a823e8eff33f2c7ba9b0eeef56fb73d0dfe700fcec922da04ae0c1f431749a112bd936032a429dab0344b0ce7826edb9d6ad63070f07557f576572891a943ce
SSDEEP

3072:fOIuHiSWoHMevkxo6v/Ff2Apx9A00rVPcPEcASBqStal:mPCeMev6nFjp4PrVPvDSBqj

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3424	Explorer.EXE

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32	004749773756ce13d85d9598d4a73f0b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\ThreadingModel = "Both"	004749773756ce13d85d9598d4a73f0b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\{b35a692e-cf9e-5451-6f58-4165b15137b5}\\n."	004749773756ce13d85d9598d4a73f0b.exe

Unexpected DNS network traffic destination 5 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20
Destination IP	83.133.123.20

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\clsid	004749773756ce13d85d9598d4a73f0b.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}	004749773756ce13d85d9598d4a73f0b.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32	004749773756ce13d85d9598d4a73f0b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\ThreadingModel = "Both"	004749773756ce13d85d9598d4a73f0b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\{b35a692e-cf9e-5451-6f58-4165b15137b5}\\n."	004749773756ce13d85d9598d4a73f0b.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3444	004749773756ce13d85d9598d4a73f0b.exe
3444	004749773756ce13d85d9598d4a73f0b.exe
3444	004749773756ce13d85d9598d4a73f0b.exe
3444	004749773756ce13d85d9598d4a73f0b.exe
3444	004749773756ce13d85d9598d4a73f0b.exe
3444	004749773756ce13d85d9598d4a73f0b.exe
3444	004749773756ce13d85d9598d4a73f0b.exe
3444	004749773756ce13d85d9598d4a73f0b.exe
3424	Explorer.EXE
3424	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	3444	004749773756ce13d85d9598d4a73f0b.exe
Token: SeDebugPrivilege	3444	004749773756ce13d85d9598d4a73f0b.exe
Token: SeDebugPrivilege	3444	004749773756ce13d85d9598d4a73f0b.exe
Token: SeShutdownPrivilege	3424	Explorer.EXE
Token: SeCreatePagefilePrivilege	3424	Explorer.EXE
Token: SeShutdownPrivilege	3424	Explorer.EXE
Token: SeCreatePagefilePrivilege	3424	Explorer.EXE
Token: SeDebugPrivilege	3424	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3424	Explorer.EXE
3424	Explorer.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3444 wrote to memory of 3424	3444	004749773756ce13d85d9598d4a73f0b.exe	50
PID 3444 wrote to memory of 3424	3444	004749773756ce13d85d9598d4a73f0b.exe	50

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3424
- C:\Users\Admin\AppData\Local\Temp\004749773756ce13d85d9598d4a73f0b.exe
  "C:\Users\Admin\AppData\Local\Temp\004749773756ce13d85d9598d4a73f0b.exe"
  2⤵
  - Registers COM server for autorun
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\{b35a692e-cf9e-5451-6f58-4165b15137b5}\n

Filesize
42KB

MD5
bfa0c9ec67cd0f1b2dabfc7777aae294

SHA1
c15a4686bda91546e4c3abba58530423c40da3dc

SHA256
f3a8ac1721abb9068c5c281dafeaebdf3a66f96954c9e882ef71dee9c44bc585

SHA512
e2e7b989e17dcf2f0c2b93e53671a6f34230b31b0daa152fd9ec84aa14055b1350960d5dbc7da02a03d4eda7c68f9082f6c8be053ec56c0bed5b2bd0ef38556f

Download Submit
memory/3424-7-0x0000000001200000-0x0000000001201000-memory.dmp

Filesize
4KB

Download
memory/3424-15-0x0000000001200000-0x0000000001201000-memory.dmp

Filesize
4KB

Download
memory/3424-12-0x0000000001200000-0x0000000001201000-memory.dmp

Filesize
4KB

Download
memory/3444-4-0x00000000021B0000-0x00000000021E5000-memory.dmp

Filesize
212KB

Download
memory/3444-3-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3444-6-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3444-5-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/3444-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3444-2-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3444-13-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3444-14-0x00000000021B0000-0x00000000021E5000-memory.dmp

Filesize
212KB

Download
memory/3444-1-0x00000000006F0000-0x00000000006F1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads